10-29-2002 08:48 PM - edited 03-02-2019 02:29 AM
I am havingcisco 7505 on which some lease line users are coming and it is connected to gateway. At the gateway BGP is running and users are connected by static routes. I find a big gap between traffic generated and the traffic crossing gateway. This I concluded by doing total of input and output traffic of all users and expecting it to be equal to in/out traffic at gateway plus some overhead. This gap is more than 100%. I wish to know why there is gap between traffic expected and traffic observed. Additionaly one lease line user is constantly complaining slow access. He doesn't have load on its interface either.
If there is some DoS attack, or some other attcak, can I detect it and take corrective action.
---ejaj
10-30-2002 08:07 AM
Hello,
Do you have the right 'bandwidth' configured on that Interface ??
Edwin van Wijk
10-30-2002 08:10 PM
I didn't define any BW and threrfore I assume BW obtained is controlled by modem BW spec and BW of serial line.
---ejaj
10-30-2002 09:07 AM
You didn't provide very much detail, so I am making various assumptions (eg You are runnig BGP with 2 different providers, etc)
There are multiple things that could be causing this. If your total traffic is very low, then just the standard BGP updates could account for this, but this is very unlikely. What sorts of numbers are we talking about here? There are many other things that could be causing this, some of which are below:
Is it possible that one of your providers is pushing traffic to the others through your router (either because you are leaking routes or because they have statics pointing at you)?
Is is possible that you are just seeing standard port-scans and probes? Are you getting lots of packets that you are dropping because you do not have a full route for? Routing your aggregate to Null and making sure you have more specifics for space that is being used will allow you to easily check this (and is a good general practice).
The best way to find this is going to be by exporting NetFlow data and seeing the types of traffic that you are getting and making sure that that looks sane. You could also achieve the same result by having ACL's that permit various (eg permit tcp any any eq 80, permit tcp any any eq 25, permit ip any any) and then seeing how many hits each line in the ACL gets.
10-30-2002 08:13 PM
Will you kindly explain more. I didn't get you
---ejaj
10-31-2002 06:42 AM
OK... If you provide more detail about the design, this would be alot easier. From what I understand you have a router with presumably 2 connections to upstreams ("outfacing") as you are running BGP, and some "infacing" connections to clients. Your outfacing bandwidth exceeds your infacing bandwidth and you are trying to figure out why... If you provide some numbers so we have some ideas of the amount of fraffic we are talking about here, it will be easier to provide useful answers (if the sum of your infacing bandwidth is 100k and the sum of your outfacing bandwidth is 200k that is very differant to 100Mb and 200Mb!). Also, if you provide more info on the size of the address space "behind" the router that would be good (if you are announcing a /17, you will be getting LOTS more backscatter and portscan traffic than if you are announcing a /29!).
Some ways that you can start dealing with this are to install cflowd (free from CAIDA ) or some other NetFlow software (avail. from cisco and others) and then making the router export flows. You can then dump the flows and see what types of traffic you are getting and from where and to where (eg: from 1.2.3.4 to 2.3.4.5, port 21, 80000bytes). More data on setting up netflow is available here:
Having this data available is REALLY usefull for all sorts of things, like long-term trending, provider selection, DoS detection and mitigation, general debugging, etc.
If you don't want to deal with all of this, there are some other ways to deal woth this. The easiest is probably going to be setting up ACL's that log traffic, either to a syslog server or just into the buffer. For example:
ip access-list ex Boop
permit ip any any log
int
ip access-group Boop in
ip access-group Boop out
and then looking through the logs (sho log) to see what traffic is matching. Keep in mind that this does generate extra load on the router so don't leave the ACLs in place too long. This will give you a good idea of what traffic is entering and leaving
Also, you say that you are running BGP. This implies 2 upstreams. You can make sure that you are not leaking routes (and becomming transit between providers!) by doing:
sho ip bgp nei
and making sure that you are only announcing the correct space.
Some other tools to deal with this are:
sho cef drop (assuming that you are running CEF!)
sho int
Turning on IP accounting (here is a link on how:
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800b3dda.html) will also give you lots of detail, but opens another whole can of worms!
If you are still having problems, please give more detail about the architechure, etc.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: